From owner-freebsd-security  Thu Nov 15  0:39:53 2001
Delivered-To: freebsd-security@freebsd.org
Received: from oxmail.ox.ac.uk (oxmail1.ox.ac.uk [129.67.1.2])
	by hub.freebsd.org (Postfix) with ESMTP id 379AA37B405
	for <freebsd-security@freebsd.org>; Thu, 15 Nov 2001 00:39:50 -0800 (PST)
Received: from heraldgate2.oucs.ox.ac.uk
	([163.1.2.50] helo=frontend2.herald.ox.ac.uk ident=exim)
	by oxmail.ox.ac.uk with esmtp (Exim 3.33 #3)
	id 164I3a-0002pF-01; Thu, 15 Nov 2001 08:39:34 +0000
Received: from dhcp85.wadham.ox.ac.uk ([163.1.164.212] helo=piii600.wadham.ox.ac.uk)
	by frontend2.herald.ox.ac.uk with esmtp (Exim 3.32 #1)
	id 164I3j-0005Vx-00; Thu, 15 Nov 2001 08:39:43 +0000
Reply-To: cperciva@sfu.ca
Message-Id: <5.0.2.1.1.20011115083248.0e8cd548@popserver.sfu.ca>
X-Sender: cperciva@popserver.sfu.ca
X-Mailer: QUALCOMM Windows Eudora Version 5.0.2
Date: Thu, 15 Nov 2001 08:39:41 +0000
To: Tobias Roth <roth@iamexwi.unibe.ch>,
	Stefan Probst <stefan.probst@opticom.v-nam.net>
From: Colin Percival <colin.percival@wadham.ox.ac.uk>
Subject: Re: Spoofing file information?
Cc: freebsd-security@FreeBSD.ORG
In-Reply-To: <20011115092433.A9120@roy.unibe.ch>
References: <5.1.0.14.2.20011115143223.04264050@MailServer>
 <5.1.0.14.2.20011115143223.04264050@MailServer>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

At 09:24 15/11/2001 +0100, Tobias Roth wrote:
>So, if you use md5 to compare files, there are those two critera for being 
>sure the your files haven't been tampered with:
>
>1. the md5 binary is has not been modified
>2. the checksums you made and to which you are comparing haven't been modified

Don't forget
3. you're running a kernel which is polite enough to pass the file to md5 
intact

   A compromised kernel can do anything it pleases, including keeping the 
original copies of files around and passing them to any integrity-checking 
code.
   I remember there were some viruses (back in the MS-DOS days) which 
operated in this manner.

Colin Percival



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message